Friday, May 09, 2008

The captive portal in pfSense lets you provide restricted internet access to guests via a web-portal that prompts them to type a username and password. It looks and feels very similar to what you find in Wi-Fi hotspots, hotels, business centers, and coffee shops around the world.

In short, here’s how it works… you configure the captive portal in pfSense, hang some open access points off of it, and have pfSense hand out IP’s to anyone who connects. Guests (contractors, stakeholders, etc.) arrive at your office, see the open AP’s and associate with them. They get an IP, and as soon as they try to browse the internet, DNS resolves their request to a portal for authentication. They authenticate, and now they can access the internet… segmented off of your business LAN.

Now, this isn’t quite the same thing as NAP, but beyond pfSense there’s no infrastructure investment, a limited configuration effort, and it makes life better for everyone.

Configuration in pfSense is pretty straightforward. There’s a video tutorial on the wiki, and my short how-to below.

In pfSense do the following:

Interfaces>Add new interface

Interfaces>OPT1 (new interface)

Optional Interface Configuration>Enable

IP Configuration>Assign an IP address on a new subnet (e.g. 192.168.177.1/24)

I believe you can with a RADIUS server backending authentication. Skimming through the forums I found this... http://forum.pfsense.org/index.php/topic,22741.0.html ... which deals with making changes while users are logged in.